CVE-2026-33691

EUVD-2026-18352
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
owaspowasp_modsecurity_core_rule_set
𝑥
< 3.3.9
owaspowasp_modsecurity_core_rule_set
4.0.0 ≤
𝑥
< 4.25.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
modsecurity-crs
bookworm
3.3.4-1+deb12u3
fixed
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
3.3.9-1
fixed
sid
3.3.9-1
fixed
trixie
3.3.7-1+deb13u2
fixed
trixie (security)
vulnerable
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
mod_security_crs
Amazon Linux 2023
0:4.2.0-1.amzn2023.0.3
fixed